Clay,
On 4/5/22 12:47, Clay Lehman wrote:
Hello!
I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running into
an error on startup. I have tried a ton of things, searched, read the docs
over and over, and cannot get past this. Has anyone had success with this
setup?
I created a fully working sample project and Dockerfile to demonstrate the
issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3
Thanks!
Clay
More info below....
Most of the examples and documentation that I have found is for old
versions of OpenSSL, but I do see some release notes mentioning OpenSSL
v3.0.x so I suspect this is supported to some degree.
I am testing this using a docker container for "Oracle Linux Server 8"
(specifically FROM openjdk:latest) I am running embedded tomcat from
Spring Boot, but I dont suspect that is important for my issue.
Notes about the setup steps (in the Dockerfile example):
1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
(
https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
)
RUN cd /usr/src \
&& wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
&& tar -zxf openssl-3.0.2.tar.gz \
&& rm openssl-3.0.2.tar.gz \
&& cd openssl-3.0.2 \
&& ./config enable-fips && make -j8 && make -j8 install
RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
&& ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
/usr/local/lib/ossl-modules/fips.so
2) Installed Tomcat Native from source:
(https://tomcat.apache.org/native-doc/)
RUN microdnf install apr-devel openssl-devel \
&& mkdir /usr/lib/tcnative
RUN cd /usr/src \
&& wget
https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
\
&& tar -xvf tomcat-native-1.2.32-src.tar.gz \
&& rm tomcat-native-1.2.32-src.tar.gz \
&& cd tomcat-native-1.2.32-src/native \
&& ./configure --with-api=/usr/bin/apr-1-config
--with-java-home=/usr/java/latest --with-ssl=yes --prefix=/usr/lib/tcnative
\
&& make \
&& make install
3) Generate a self-signed certificate:
RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
-keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
test.lehmansoftware.com'
4) To enable tomcat native, i pass these parameters:
ENTRYPOINT java \
-Dserver.port=8443 \
-Dserver.ssl.enabled=true \
-Djava.library.path="/usr/lib/tcnative/lib" \
-Dserver.ssl.certificate-key-file="/testkey.pem" \
-Dserver.ssl.certificate-file="/testcert.pem" \
-jar app.jar
5) And finally, here is the error message that I receive on application
startup trying to use tcnative.
cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN [main]
core.AprLifecycleListener - The Apache Tomcat Native library failed to
load. The error reported was
[/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
EVP_PKEY_get_bits]
cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
EVP_PKEY_get_bits
cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native
Method) ~[?:?]
Looks like the build worked (right?) so any "undefined symbol" issues
you see must be related to the versions made available to the process at
runtime.
Make sure you have the same versions of libssl, libapr, and libtcnative
that you built yourself and not those that e.g. ship with the OS. Where
are all your .so files for libtcnative, libssl, and libapr?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
